Implicit certificate scheme

ABSTRACT

A method of generating a public key in a secure digital communication system, having at least one trusted entity CA and subscriber entities A. For each entity A, the trusted entity selects a unique identity distinguishing the entity A. The trusted entity then generates a public key reconstruction public data of the entity A by mathematically combining public values obtained from respective private values of the trusted entity and the entity A. The unique identity and public key reconstruction public data of the entity A serve as A&#39;s implicit certificate. The trusted entity combines the implicit certificate information with a mathematical function to derive an entity information ƒ and generates a value k A  by binding with ƒ with private values of the trusted entity. The trusted entity transmits the value k A  to the entity to permit A to generate a private key from k A , A&#39;s private value and A&#39;s implicit certificate. The entity A&#39;s public key information may be reconstructed from public information, and A&#39;s implicit certificate.

This application is a continuation of U.S. patent application Ser. No. 09/667,817 filed on Sep. 22, 2000, which is a continuation of PCT Application No. PCT/CA99/00244 filed on Mar. 23, 1999 which claims priority from Canadian Patent Application No. 2,235,359 filed on Apr. 20, 1998 and Canadian Patent Application No. 2,232,936 filed on Mar. 23, 1998.

This invention relates to key distribution schemes for transfer and authentication of encryption keys.

BACKGROUND OF THE INVENTION

Diffie-Hellman key agreement provided the first practical solution to the key distribution problem, in cryptographic systems. The key agreement protocol allowed two parties never having met in advance or shared key material to establish a shared secret by exchanging messages over an open (unsecured) channel. The security rests on the intractability of the Diffie-Hellman problem and the related problem of computing discrete logarithms.

With the advent of the Internet and such like the requirement for large-scale distribution of public keys and public key certificates are becoming increasingly important. Public-key certificates are a vehicle by which public keys may be stored, distributed or forwarded over unsecured media without danger of undetectable manipulation. The objective is to make one parties' public key available to others such that its authenticity and validity are verifiable.

A public-key certificate is a data structure consisting of a data part and a signature part. The data part contains cleartext data including as a minimum, public key and a string identifying the party to be associated therewith. The signature part consists of the digital signature of a certification authority (CA) over the data part, thereby binding the entities identity to the specified public key. The CA is a trusted third party whose signature on the certificate vouches for the authenticity of the public key bound to the subject entity.

Identity-based systems (ID-based system) resemble ordinary public-key systems, involving a private transformation and a public transformation, but parties do not have explicit public keys as before. Instead, the public key is effectively replaced by a party's publicly available identity information (e.g. name or network address). Any publicly available information, which uniquely identifies the party and can be undeniably associated with the party, may serve as identity information.

An alternate approach to distributing public keys involves implicitly certified public keys. Here explicit user public keys exist, but they must be reconstructed rather than transported by public-key certificates as in certificate based systems. Thus implicitly certified public keys may be used as an alternative means for distributing public keys (e.g. Diffie-Hellman keys).

An example of an implicitly certified public key mechanism is known as Gunther's implicitly-certified (ID-based) public key method. In this method:

-   -   1. A trusted server T selects an appropriate fixed public prime         p and generator α of Z^(•) _(P). T selects a random integer t,         with 1≦t≦p−2 and gcd(t, p−1)=1, as its private key, and         publishes its public key u=α¹ mod p, along with α, p.     -   2. T assigns to each party A a unique name or identifying string         I_(A) and a random integer k_(A) with gcd(k_(A), p−1)=1. T then         computes P_(A)=α^(K) _(A) mod p. P_(A) is A's KEY reconstruction         public data, allowing other parties to compute (P_(A))^(a)         below.     -   3. Using a suitable hash function h, T solves the following         equation for a:         H(I _(A))≡t.P _(A) +k _(A) a(mod p−1)     -   4. T securely transmits to A the pair (r,s)=(P_(A), a), which is         T's ElGamal signature on I_(A). (a is A's private key for         Diffie-Hellman key-agreement)     -   5. Any other party can then reconstruct A's Diffie-Hellman         public key P_(A) ^(a) entirely from publicly available         information (α, I_(A), u, P_(A), p) by computing:         P_(A) ^(a)≡α^(h(I) _(A) ⁾ _(u) ^(P) _(A) mod p

Thus for discrete logarithm problems, signing a certificate needs one exponentiation operation, but reconstructing the ID-based implicitly-verifiable public key needs two exponentiations. It is known that exponentiation in the group Z_(p) ^(•) and its analog scalar multiplication of a point in E(F_(q)) is computationally intensive. For example an RSA scheme is extremely slow compared to elliptic curve systems, However despite the resounding efficiency of EC systems over RSA type systems this is still a problem particularly for computing devices having limited computing power such as “smart cards”, pagers and such like.

SUMMARY OF THE INVENTION

The present invention seeks to provide an efficient ID-based implicit certificate scheme, which provides improved computational speeds over existing schemes. For convenience, we describe the schemes over Z_(p), however these schemes are equally implementable in elliptic curve cryptosystems.

In accordance with this invention there is provided a method of generating an identity-based public key in a secure digital communication system, having at least one trusted entity CA and subscriber entities A, the method comprising the steps of:

-   -   (a) for each entity A, the CA selecting a unique identity I_(A)         distinguishing the entity A;     -   (b) generating a public key reconstruction public data γ_(A) of         entity A by mathematically combining a generator of the trusted         party CA with a private value of the entity A, such that the         pair (I_(A), γ_(A)) serves as A's implicit certificate;     -   (c) combining the implicit certificate information (I_(A),         γ_(A)) in accordance with a mathematical function F(γ_(A),         I_(A)) to derive an entity information ƒ;     -   (d) generating a private key a of the entity A by signing the         entity information ƒ and         transmitting the private key a to the entity A, whereby the         entity A's public key may be reconstructed from the public         information, the generator γ_(A) and the identity I_(A)         relatively efficiently.

In accordance with a further embodiment of the invention there is provided a public key certificate comprising a plurality of public keys having different bit strengths and wherein one of the public keys is an implicitly certified public key.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the present invention will now be described by way of example only with reference to the accompanying drawings in which:

FIG. 1 is a schematic representation of a first system configuration according to an embodiment of the present invention; and

FIG. 2 is a schematic representation of a second system configuration according to an embodiment in the present invention.

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT

Referring to FIG. 1, a system with implicitly-certified public keys is shown generally by 10. This system 10 includes a trusted third party CA and at least a pair of first and second correspondents A and B respectively. The correspondents A and B exchange information over a communication channel and each includes a cryptographic unit for performing visual finding/verification and encryption/decryption.

Referring back to FIG. 1, the trusted party CA selects an appropriate prime p with p=tq+1 where q is a large prime and a generator a of order q. The CA selects a random integer c, with 1≦c≦q−1 as its private key, then computes the public key β=α^(c) mod p and publishes (β,α, p, q).

Scheme 1:

-   1. For each party A, the CA choose a unique distinguished name or     identity I_(A) (e.g., name, address, phone number), and a random     integer c_(A) with 1≦c_(A)≦q−1. Then the CA computes γ_(A)=α^(C)     _(A) mod p. (γ_(A) is the party A's public key reconstruction public     data. The pair (I_(A), γ_(A)) serves as A's implicit certificate) -   2. The CA selects a function ƒ=F(I_(A), γ_(A)). For example,     F(γ_(A), I_(A))=γ_(A)+h(I_(A)), or F(γ_(A), I_(A))=h(γ_(A)+I_(A))     where h is a secure hash function and solves the following equation     for a, which is party A's private key. If a=0, then the CA chooses     another c_(A) and resolves the equation.     1=cf+c _(A) a(mod q) -   3. The CA securely sends the triple (γ_(A), α,I_(A)) to A, which is     CA's signature on I_(A).     Then     -   α is A's private key;     -   γ_(A) is A's generator; and     -   γ_(A) ^(a) (=α^(cAa)) is A's public key.         A publishes (α, I_(A), β, γ_(A), p, q) in the public domain. -   4. Anyone can obtain party A's (ID-based) implicitly verifiable     public key from the public domain by computing,     γ_(A) ^(a)=αβ^(−ƒ) (mod p),     thus deriving the public key from the above equation, which requires     only one exponentiation operation.

Although everyone can reconstruct party A's public key from public data, this does not mean that the reconstructed public key γ_(A) ^(a) has been certified. This scheme is more effective when it is combined with an application protocol that shows that party A has complete knowledge of the corresponding private key. For example, with the MQV key-agreement scheme or with any signature scheme and particularly with an KCDSA (Korean Certificate based Digital Signature Algorithm). In general, this implicit certificate scheme can be used with any scheme, which is required to verify the certificate. This may be demonstrated by referring to the Digital Signature Algorithm (DSA) signature scheme.

Suppose Alice has a private key α, generator γ_(A) and publishes (α, I_(A), β, γ_(A), p, q) in public domain. Now Alice wants to sign a message M using DSA.

Alice docs the following:

-   -   1. randomly chooses k, computes r=γ_(A) ^(k) (mod p);     -   2. computes c=sha−1 (M);     -   3. computes s=k⁻¹(e+ar) (mod p);     -   4. The signature on M is (r,s).

Verifier does the following:

-   -   1. gets Alice's public data (α, I_(A), β, γ_(A), p, q) and         reconstructs the public key         δ_(A)=γ_(A) ^(a)=αβ^(−ƒ) (mod p);     -   2. computes e=sha−1(M);     -   3. computes μ₁=es⁻¹ (mod q) and μ₂=rs⁻¹ (mod q);     -   4. computes r¹=γ_(A) ^(μ) ₁ δ_(A) ^(μ) ₁ mod p;     -   5. if r=r′, the signature is verified. At the same time Alice's         (ID-based) public key is implicitly verified.

The pair (I_(A), γ_(A)) serves as certificate of Alice. Reconstructing the public key serves as implicit verification when the application protocol results in a valid verification. Recall that obtaining the public key needs only one exponentiation operation.

In an alternate embodiment, the scheme can be generalized to most ElGamal signature schemes by modifying the signing equation appropriately. In the following section, we give some examples.

Scheme 2:

The CA uses the signing equation 1=ca+c_(A)ƒ (mod q). The CA securely sends the triple (γ_(A), a, I_(A)) to A, then a is A's private key, β is A's generator and β^(a) is A's public key. A publishes (α, I_(A), β, γ_(A), p, q) in public domain. Anyone can obtain A's (ID-based) implicitly certified public key from the public domain by computing β^(a)=αγ_(A) ^(−ƒ) (mod p) For this scheme, each user has the same generator β which is the CA's public key. Scheme 3:

The CA uses the signing equation a=cf+_(CA) (mod q). The CA securely sends the triple (γ_(A), a, I_(A)) to A, then a is A's private key, a is A's generator and α^(a) is A's public key. A publishes (α, I_(A), β, γ_(A), p, q) in the public domain. Anyone can obtain A's (ID-based) implicitly certified public key from the public domain by computing α^(a)=^(r) _(γA) (mod p) For this scheme, each user including the CA has the same generator α. Scheme 4:

The CA uses the signing equation a≡_(CA)ƒ+c (mod q). The CA securely sends the triple (γ_(A), a, I_(A)) to A, then a is A's private key, α is A's generator and α^(a) is A's public key. A publishes (α, I_(A), β, γ_(A), p, q) in the public domain. Anyone can obtain A's (ID-based) implicitly certified public key from the public domain by computing α^(a)=γ_(A) ^(ƒ)β(mod p) For this scheme, each user including CA has same generator α.

In the above schemes the user or party A does not have freedom to choose its own private key. The following schemes as illustrated in FIG. 2 both the CA and the user control the user's private key but only the user knows its private key.

Scheme 5:

A first randomly chooses an integer k and computes α^(k), then sends it to the CA. The CA computes γ_(A)=α^(kC) _(A) mod p, and solves the following signing equation for k_(A) 1=cf+c _(A) k _(A) (mod q).

Then the CA computes γ_(A) ¹=α^(C) _(A) mod p and sends the triple (γ_(A) ¹, k_(A), I_(A)) to A. A computes a=k_(A)k⁻¹ (mod q) and γ_(A)=(γ_(A) ¹)^(k)(mod p)). Then a is A's private key, γ_(A) is A's generator and γ_(A) ^(a) is A's public key. A publishes (α, I_(A), β, γ_(A), p, q) in the public domain. Anyone can obtain A's (ID-based) implicitly certified public key from the public domain by computing γ_(A) ^(a)=αβ^(−r)(mod p)

Scheme 6:

-   1. A randomly chooses an integer k and computes β^(k), then sends it     to the CA. -   2. The CA randomly chooses an integer c_(A) computes     γ_(A)=β^(k)α^(c) _(A) (mod p) and ƒ=F(γ_(A), I_(A)). solves the     signing equation for k_(A) (if k_(A)=0, then choose another c_(A))     1=ck _(A) +c _(A)ƒ (mod q).     Then CA computers γ_(A) ¹=γ^(c) _(A) ^(c) ⁻¹ (mod p) and sends (the     triple (γ_(A) ¹, k_(A), I_(A)) to A.     Note: (γ_(A) ¹, k_(A), I_(A)) can be sent by public channel. -   3. A computes γ_(A)=(γ_(A) ¹)^(k−1) α¹ mod p), ƒ=F(γ_(A), I_(A)),     and α=k_(A)−kƒ (mod q). (if α=0,1, then goes back to step 1.). Then     checks if β^(a)=αγ_(A) ^(−ƒ). Now α is A's private key, β is A's     generator and β^(a) is A's public key. A publishes (α, I_(A), β,     γ_(A), p, q) in the public domain. -   4. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     β^(a)=αγ_(A) ^(−ƒ) (mod p)     Scheme 7:

A first randomly chooses an integer k and computes α^(k), then sends it to the CA. Now CA computes γ_(A)=α^(k)α^(CA) (mod p), solves the signing equation for k_(A) k _(A) ≡cf+c _(A)(mod q)

Then the CA computes γ_(A) ¹=(α^(k))^(CA) (mod p) and sends the triple (γ_(A) ¹, k_(A), I_(A)) to A. A computes γ_(A)=(γ_(A) ¹)^(k−1)α^(k) (mod p). Then a=k_(A)+k (mod q) is A's private key, α is A's generator and α^(a) is A's public key. A publishes (α, I_(A), β, γ_(A), p, q) in public domain. Anyone can obtain A's (ID-based) implicitly certified public key from the public domain by computing α^(a)=β^(ƒ) _(γA)(mod p) Scheme 8:

-   1. A randomly chooses an integer k and computes α^(k), then sends it     to the CA. -   2. The CA, randomly chooses an integer c_(A), computes     γ_(A)=α^(k)α^(c) _(A) (mod p) and ƒ=F(γ_(A), I_(A)), computes k_(A)     (if k_(A)=0, then choose another C_(A))     k _(A) ≡c _(A) ƒ+c (mod q)     Then CA computers γ_(A) ¹=(α^(k))^(c) _(A) (mod p) and sends the     triple (γ_(A) ¹,k_(A), I_(A)) to A.     Note: (γ_(A) ¹,k_(A),I_(A)) can be sent by public channel. -   3. A computes γ_(A)=(γ_(A) ¹)^(A−1) α^(k) (mod p), ƒ=F(γ_(A),I_(A)),     and α=k_(A)+kƒ (mod q). (if α=0,1, then goes back to step 1.). Then     checks if α^(a)=γ_(A) ^(ƒ)β. Now α is A's private key, α is A's     generator and α^(a) is A's public key. A publishes (α, I_(A), β,     γ_(A), p, q) in public domain. -   4. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     α^(a)=γ_(A) ^(ƒ)β(mod p)

In the above schemes 5-8, anyone can get some partial information of user A's private key α since k_(A) is sent by public channel. To hide this information and to speed up computation of above schemes, we introduce DES encryption to get following scheme 9-12 by modifying scheme 5-8. The advantages in scheme 9-12 is that user can compute K easily since β is fixed.

Scheme 9:

-   1. A randomly chooses an integer k and computes α_(k), then sends it     to CA. -   2. CA randomly chooses an integer CA, computes γ_(A)=α^(kc) _(A)     (mod p) and ƒ=F(γA,β,I_(A)), solves the signing equation for     k_(A)(if k_(A)=0, then choose another C_(A)).     1=cƒ+c _(A) k _(A) (mod q)     Next CA computes K=(α^(k))^(c)(mod p) and {overscore     (k)}_(A)=DES_(K)(k_(A)), then sends the triple (γ_(A),{overscore     (k)}_(A), I_(A)) to A.     γ_(A) -   3. A computes K=β^(k) (mod p),k_(A)=DES_(k)({overscore (k)}_(A)),     and α=k_(A)k⁻¹(mod q). (if a=1, then goes back to step 1). Then     checks if γ_(A) ^(a)=αβ^(−ƒ). Now a is A's private key, γ_(A) is A's     generator and γ_(A) ^(a) is A's public key. A publishes     (α,I_(A),β,γ_(A), p,q) in public domain. -   4. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     γ_(A) ^(a)=αβ^(−ƒ) (mod p)     Scheme 10: -   1. A randomly chooses an integer k and computes β^(k), then sends it     to CA. -   2. CA randomly chooses an integer CA, computes γ_(A)=β^(k)α^(C) _(A)     (mod p) and ƒ=F¹(γ_(A), β, I_(A)) solves the signing equation for     k_(A) (if k_(A)=0, then choose another C_(A).     1=ck _(A) +c _(A)ƒ(mod q)     Next CA computes K=(β^(k))^(r) _(n) ^(r) ⁻¹ =α^(kc) _(A) (mod p) and     {overscore (k)}_(A)=DES_(K) (k_(A)), then sends the triple     (γ_(A){overscore (k)}_(A),I_(A)) to A.     Note: (γ_(A){overscore (k)}_(A), I_(A)) can be sent by public     channel. -   3. A computes K=(γ_(A)/β^(k))^(k)=αkc _(A) (mod p),     k_(A)=DES_(k)({overscore (k)}_(A)), ƒ=F(γ_(A), β,I_(A)) and computes     α=k_(A)−kƒ(mod q). (if a=o,1, then goes back to step 1). Then checks     if β^(a)=αγ_(A) ^(−ƒ). Now a is A's private key, β is A's generator     and β^(a) is A's public key. A publishes (α, I_(A), β, γ_(A), p, q)     in public domain. -   4. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     β^(a)=αγ_(A) ^(−ƒ) (mod p)     Scheme 11 -   1. A randomly chooses an integer k and computes α^(k), then sends it     to CA. -   2. CA randomly chooses an integer C_(A), computes γ_(A)=α^(k)α^(c)     _(A) (mod p) and ƒ=F(γ_(A),β,I_(A)) computes k_(A) (if k_(A)=0, then     choose another C_(A))     k _(A) =cƒ+c _(A)(mod q).     Next CA computes K=(α^(k))^(c)(mod p) and {overscore     (k)}_(A)=DES_(K)(k_(A)), then sends the triple (γ_(A),{overscore     (k)}_(A),I_(A)) to A.     Note: (γ_(A),{overscore (k)}_(A),I_(A)) can be sent by public     channel. -   3. A computes K=β^(k) (mod p), k_(A)=DES_(K)({overscore (k)}_(A)),     and α=k_(A)+k(mod q) (if a=0, 1, then goes back to step 1). Then     checks if α^(o) =β^(ƒ)γ_(A). Now α is A's private key, α is A's     generator and α^(a) is A's public key. A publishes     (α,I_(A),β,γ_(A),p,q) in public domain. -   4. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing α^(a)=γ_(A) ^(ƒ)(mod p)     Scheme 12: -   1. A randomly chooses an integer k and computes α^(k), then sends it     to CA. -   2. CA randomly chooses an integer C_(A), computes γ_(A)=α^(k)α^(c)     _(A) (mod p) and ƒ=F(γ_(A),β,I_(A)) computes k_(A) (if k_(A)=0, then     choose another C_(A)) k_(A)=c_(A)ƒ+c(mod q)     Next CA computes K=(α^(k))^(c)(mod p) and {overscore     (k)}_(A)=DES_(k)(k_(A)), then sends the triple (γ_(A),{overscore     (k)}_(A),I_(A)) to A.     Note: (γ_(A),{overscore (k)}_(A),I_(A)) can be sent by public     channel. -   3. A computes K=β^(k)(mod p), k_(A)=DES_(k)({overscore (k)}_(A)),     ƒ=F(γ_(A),β,I_(A)), and α=k_(A)+kƒ(mod q). (if a=0,1, then goes back     to step 1). Then checks if α^(a)=γ_(A) ^(ƒ)β. Now a is A's private     key, α is A's generator and α^(a) is A's public key. A publishes     (α,I_(A),β,γ_(A),p,q). Anyone can obtain A's (ID-based) implicitly     certified public key from the public domain by computing     α^(a)=γ_(A) ^(ƒ)β(mod p)     The advantages for schemes 9-12 are that user A can compute K easily     since β is fixed and that k_(A) is encrypted such that no other     people can know it.     Note that for schemes 5-12, adding an option parameter OP to the     function F(γ_(A),β,I_(A)) (i.e., ƒ=F(γ_(A),β,I_(A),OP) will make the     schemes more useful. For example, OP=α^(α) _(ε) , where α_(ε)is user     A's private encryption key and α^(αε) is user A's public encryption     key. Following scheme 15 is a modification of scheme 7. Schemes 5-12     can be modified in the same way. The schemes 1-4 can also be     modified in the same way.     Scheme 13: -   1. A randomly chooses an integer k and computes α^(k), then sends it     to CA. -   2. CA randomly chooses an integer c_(A), computes γ_(A)=α^(k)α^(c)     _(A) (mod p) and ƒ=F(γ_(A),I_(A), OP), computes k_(A) (if k_(A)=0,     then choose another c_(A))     k _(A) ≡cƒ+c _(A (mod) q).     Next CA computers K=H((α^(k))^(c)) and {overscore     (k)}_(A)=DES_(K)(k_(A)), then sends the triple (ƒ,{overscore     (k)}_(A),I_(A)) to A. -   3. A computes K=H(β^(k)), k_(A)=DES_(K)({overscore (k)}_(A)), and     α=k_(A)+k (mod q) (if a=0,1, then goes back to step 1.) Then     computes γ_(A)=α^(a)β⁻¹ (mod p) and checks if ƒ=F(γ_(A),I_(A), OP).     Now α is A's private key, α is A's generator and α^(a) is A's public     key. A publishes (α,I_(A), β,γ_(A), p, q) in public domain. -   4. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     α^(a)=β^(ƒ)γ_(A) (mod p)     Furthermore we can reduce the bandwidth by following scheme 14.     Scheme 14: -   1. A randomly chooses an integer k and computes α^(k), then sends it     to CA. -   2. CA randomly chooses an integer C_(A), computes γ_(A)=α^(k)α^(c)     _(A) (mod p) and set {circumflex over (γ)}_(A) as the first 80 least     significant bits of γ_(A). Then computes ƒ=F({circumflex over     (γ)}_(A),I_(A),OP) and k_(A) (if k_(A)=0, then choose another c_(A))     k _(A) ≡cƒ+c _(A) (mod q).     Next CA computers K=(α^(k))^(c) (mod p) and {overscore     (k)}_(A)=DES_(K)(k_(A)), then sends the triple ({circumflex over     (γ)}_(A), {overscore (k)}_(A), I_(A)) to A.     Note: ({circumflex over (γ)}_(A), {overscore (k)}_(A), I_(A)) can be     sent by public channel. -   3. A computes K=β^(k) (mod p), k_(A)=DES_(K)({overscore (k)}_(A)),     and n=k_(A)+k (mod q) (if α=0,1, then goes back to step 1.) Then     computes ƒ=F({circumflex over (γ)}_(A), β,I_(A)), γ_(A)=α^(a)β^(−ƒ)     (mod p) and checks if the first 80 least significant bits of     γ_(A is {circumflex over (γ)}) _(A). Now α is A's private key, α is     A's generator and α^(a) is A's public key. A publishes (α, I_(A), β,     γ_(A)p, q) in public domain. -   4. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     α^(a)=β^(ƒ)γ_(A) (mod p)     The security level of scheme 5.c is not as other schemes we discuss     before. Scheme 5.c only has 80 bit security. But it is OK for     practical application Now. We can extend the first 80 least     significant bits to the half least significant bits of γ_(A).     The implicit certificate can be used to certify some other useful     information by including the information in the option parameter OP.     For example OP=α^(αε)∥OP₂, where α_(ε)is user A's another private     key and α^(α) _(ε) is the corresponding public key. Following scheme     15 is a modification of scheme 7. Other schemes can be modified in     the same way.     Scheme 15: -   1. A randomly chooses an integer α_(ε)and computes α^(α) _(ε) . -   2. A randomly chooses an integer k and computes α^(k), then sends     α^(k) and α^(α) _(ε) to CA. -   3. CA randomly chooses an integer c_(A), computes γ_(A)=α^(k)α^(c)     _(A) (mod p) and ƒ=F(γ_(A),β,I_(A),α^(α) _(ε) ). (for example,     ƒ=F(γ_(A),β,I_(A),α^(α) _(ε) )=h(γ_(A)∥β∥I_(A)∥α^(α) _(ε) ))     computes k_(A) (if k_(A)=0, then choose another C_(A))     k _(A) =cƒ+cA(mod q)     Then CA computes γ_(A) ¹=(α^(k))^(c) _(A) (mod p) and sends the     triple (γ_(A) ¹,k_(A),I_(A)) to A.     Note: (γ_(A) ¹,k_(A),I_(A)) can be sent by public channel. -   4. A computes α=k_(A)+k (mod q). (if a=0,1, then goes back to     step 1) and computes γ_(A)=γ_(A) ¹)^(k−1)α^(k)(mod p). Then checks     if α^(a)=β^(ƒ)γ_(A). Now a is A's private signing key, α is A's     generator and α^(a) is A's public signing key, a_(E) is A 's private     encryption key and α^(α) _(ε) is A's public encryption key. A     publishes ((α, α^(α) _(ε) ,I_(A),β,γ_(A), p,q) in public domain. -   5. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     α^(a)=β^(ƒ)γ_(A)(mod p)     Notes: (for scheme 13-15) -   1. The identity I_(A) may be chosen either by CA or by entity A -   2. CA should authenticate the entity A. It can be done by the method     described in the note 2 of scheme 11. -   3. (ƒ, {overscore (k)}_(A), I_(A)A) or ({circumflex over (γ)}_(A),     {overscore (k)}_(A), I_(A)) or (γ_(A) ¹,k_(A),I_(A)) can be sent by     public channel.

In our schemes, (α, γ_(A)) is CA's signature on A's ID I_(A), it was supposed to be known by public. But now, only user A knows the a. So when we use these schemes, we should make sure that in application protocol, user A knows his/her own private key. In other words, the application protocol must guarantee that A uses his/her private key in the computation.

The security of the new scheme depends on the signing equations. For example, in scheme 1, the signing equation is 1=cƒ+c _(A)α(mod q).  (1) We are going to show that for some choice of the one way function F(γ_(A), I_(A)), the new scheme 1 is equivalent to DSA.

Let's consider CA, using DSA signing equation to sign A's identity I_(A). First CA randomly choose a c_(A) and compute γ_(A)=α^(cA) mod p, then CA uses a secure hash function h to computer h(I_(A)), finally CA solves following equation for s. h(I _(A))≡cγ _(A) +c _(A) s (mod q).  (2)

Now (γ_(A), s) is CA,'s signature on I_(A).

Multiply equation (2) by h(I_(A))⁻¹ we got 1≡cγ _(A) h(I _(A))⁻¹ +c _(A) sh(I _(A))⁻¹ (mod q) Let F(γ_(A), I_(A))=γ_(A) h(I_(A))⁻¹ and replace sh(I_(A))⁻¹ by α in above equation we got the equation (1). Obviously, equation (2) is equivalent to equation (1) if F(γ_(A), I_(A))=γ_(A) h(I_(A))⁻¹. That means, if anyone can break the scheme using the signing equation (1), then he/she can break the scheme using the signing equation (2) which is DSA scheme.

Heuristic arguments suggest our new schemes are secure for suitable choice of F(γ_(A), I_(A)), where F(γ_(A), I_(A))=γ_(A) h(I_(A)) or r(γ_(A), I_(A))=h(γ_(A), I_(A)). Note F(γ_(A), I_(A)) can be some other format, for example when I_(A) is small, say 20 bits, but q is more than 180 bits, then we can use F(γ_(A), I_(A))=γ_(A)+I_(A). A disadvantage of the new schemes is all users and CA use the same field size. However this is the way that all ID-based implicitly certified public key schemes work, for example, Girault's RSA based Diffie-Hellman public key agreement scheme.

A further set of schemes may also be described as follows:

System setup: A trusted party CA selects an appropriate prime p with p=tq+1 where q is a large prime and a generator α of order q. CA selects a random integer c, with 1<c<q as its private key, computes the public key β=α^(c) mod p and publishes (β, α, p, q). Then CA chooses a special cryptographic function ƒ=F(γ_(A),I_(A),OP) (ƒ: {0,1})* →{1,2, . . . (q−1)}) such that with this function, the signature scheme which used to produce implicit certificate is secure, where OP represents some option parameters that user may concern (such as date, or βthe CA's public key). For example, let h be a secure hash function, f can be one of following format

-   1. F(γ^(A), I_(A), OP)=γ_(A)+β+h(I_(A)) -   2. F(γ_(A), I_(A), OP)=h(γ_(A∥β∥I) _(A)) -   3. F(γ_(A), I_(A), OP)=γ_(A)+β+I_(A) where I_(A) has some pattern     (or when I_(A) is small, say 20 bits, and q is more than 180 bits) -   4. F(γ_(A), I_(A), OP)=γ_(A)+h(I_(A)) -   5. F(γ _(A), I_(A), OP)=h(γ_(A)∥I_(A)) -   6. F(γ_(A), I_(A), OP)=γ_(A)+I_(A) where I_(A) has some pattern (or     when I_(A) is small, say 20 bits, and q is more than 180 bits) -   7. It is very easy to change the parameters a little bit to get a     secure signature scheme from a given secure signature scheme. So     F(γ_(A),I_(A),OP) can be any other format that guarantee the     signature scheme which used to produce implicit certificate is     secure. Note that by suitable choosing F(γ_(A),I_(A),OP), Any     Elgamal-like signature scheme we know so far is equivalent to one of     the 4 families schemes we proposed in this paper if it is used as     implicit certificate scheme after modification. But our proposed     schemes have the most efficiency.

Note: the above system setup will be assumed in the following schemes.

Scheme 1.a:

-   1. For each entity A, CA chooses a unique distinguished name or     identity I_(A) (e.g., name, address, phone number), and a random     integer c_(A) with 1<c_(A)<q. Then CA computes γ_(A)=α^(c) _(A)     mod p. (γ_(A) is A's public key reconstruction public data. (I_(A),     γ_(A)) serves as A's implicit certificate) -   2. CA computes ƒ=F(γ_(A),I_(A), OP) and solves the following     equation for α (if α=0,1,c, c_(A) ⁻¹c , then chooses another c_(A)     and re-solve the equation).     1=cƒ+c _(A)α(mod Q). -   3. CA securely sends the triple (γ_(A), α, I_(A)) to A, which is     CA's signature on I_(A). Then α is A's private key, γ_(A) is A's     generator and γ_(A) ^(a) (=α^(c) _(A) ^(a)) is A's public key. A     publishes (α, I_(A), β, γ_(A), p, q) in public domain. -   4. Anyone can obtain A's (ID-based) implicitly verified public key     from the public domain by computing     γ_(A) ^(a)=αβ^(−ƒ) (mod p)     Note: -   1. In step 1, The identity I_(A) may be chosen by entity A. -   2. In step 2, we exclude α=0,1, since in this case any one can     easily knowing A's private key. Especially when α=0, c_(A) ⁻¹c, any     one can compute CA's private key c from 1=cf (mod q). -   3. For this scheme, each user has different system generator γ_(A).     Scheme 1.b: -   1. For each entity A, CA chooses a unique distinguished name or     identity I_(A) (e.g., name, address, phone number), and a random     integer c_(A) with 1<c_(A)<q . Then CA computes γ_(A)=α_(c) _(A)     mod p. (γ_(A) is A's public key reconstruction public data. (I_(A),     γ_(A)) serves as A's implicit certificate) -   2. CA computes ƒ=F(γ_(A),I_(A), OP) and solves the following     equation for α (if α=0,1c, then chooses another c_(A) and re-solve     the equation).     1≡ca+c _(A)ƒ (mod q). -   3. CA securely sends the triple (γ_(A), α, I_(A)) to A, which is     CA's signature on I^(A). Then α is A's private key, β is A's     generator and β^(o) is A's public key. A publishes (α, I_(A),β,     γ_(A), p, q) in public domain. -   4. Anyone can obtain A's (ID-based) implicitly verified public key     from the public domain by computing     β^(a)=αγ_(A) ^(−f) (mod p)     Note: -   1. In step 1, the identity I_(A) may be chosen by entity A. -   2. In step 2, we exclude α=0,1, since in this case any one can     easily knowing A's private key. when a=0, the certificate does not     involve to CA. -   3. For this scheme, each user has same system generator β.     Scheme 1.c: -   1. For each entity A, CA chooses a unique distinguished name or     identity I_(A) (e.g., name, address, phone number), and a random     integer c_(A) with 1<c_(A)<q. Then CA computes γ_(A)=α^(c) _(A)     mod p. (γ_(A) is A's public key reconstruction public data. (I_(A),     γ_(A)) serves as A's implicit certificate) -   2. CA computes ƒ=F(γ_(A),I_(A), OP) and solves the following     equation for α (if α=0,1 or c, then chooses another c_(A) and     resolve the equation).     α≡cƒ+c _(A) (mod q). -   3. CA securely sends the triple (γ_(A), α, I_(A)) to A, which is     CA's signature on I_(A). Then α is A's private key, α is A's     generator and α^(a) is A's public key. A publishes (α, I_(A), β,     γ_(A), p, q) in public domain. -   4. Anyone can obtain A's (ID-based) implicitly verified public key     from the public domain by computing     α^(a)=β^(ƒ)γ_(A) (mod p)     Note: -   1. In step 1, The identity I_(A) may be chosen by entity A. -   2. In step 2, we exclude α=0,1, since in this case any one can     easily knowing A's private key. -   3. For this scheme, each user has same system generator α.     Scheme 1.d: -   1. For each entity A, CA chooses a unique distinguished name or     identity I_(A) (e.g., name, address, phone number), and a random     integer c_(A) with 1<c_(A)<q . Then CA computes γ_(A)=α^(c) _(A)     mod p. (γ_(A) is A's public key reconstruction public data. (I_(A),     γ_(A)) serves as A's implicit certificate) -   2. CA computes ƒ=F(γ_(A), I_(A), OP) and solves the following     equation for α (if α=0,1 or c, then chooses another c_(A) and     re-solve the equation).     α≡c _(A) ƒ+c (mod q). -   3. CA securely sends the triple (γ_(A), α, I_(A)) to A, which is     CA's signature on I_(A). Then α is A's private key, α is A's     generator and α^(a) is A's public key. A publishes (α, I_(A), β,     γ_(A), p, q) in public domain. -   4. Anyone can obtain A's (ID-based) implicitly verified public key     from the public domain by computing     α^(a)=γ_(A) ^(ƒ)β (mod p)     Note: -   1. In step 1, The identity I_(A) may be chosen by entity A. -   2. In step 2, we exclude α=0,1 since in this case any one can easily     knowing A's private key. -   3. For this scheme, each user has same system generator α.     Although everyone can reconstruct user A's public key from public     data, this does not mean that the reconstructed public key has been     certified. To explicitly verify the certificate, we need to know the     α. Once we know the α, the verification process become to verify     CA's signature on I_(A). For example, In scheme 1.a, if verifier     computes αβ^(−ƒ) and user A computes γ_(A) ^(a) using α, then they     can verify the certificate together. But verifier must make sure     that user A indeed knows α. So reconstructing public key serves as     an implicit verification only if it combines with an application     protocol that shows user A has a complete knowledge of the     corresponding private key. In general, the implicit certificate     scheme can be used with any public key scheme which needs to     authenticate the subject entity and the public key.     Let's demonstrate it by using DSA signature scheme as implicit     certified public key system and scheme 1.a as implicit certificate     scheme.     Suppose Alice has private key α, generator γ_(A) and publishes (α,     I_(A), γ_(A), p, q) in public domain. Now Alice wants to sign a     message M using DSA.     Alice does following: -   1. randomly chooses k, computes r=γ_(A) ^(π) (mod p). -   2. computes e=sha-1(M). -   3. compute s=x⁻¹(e+αr) (mod q) -   4. The signature on M is (r,s).     Verifier does following -   1. gets Alice's public data (α, I_(A), β, p, q) and computes ƒ and     reconstructs the public key     β_(A)=γ_(A) ^(a)=αβ^(−ƒ) (mod p) -   2. computes e=sha-1(M). -   3. computes u₁=es⁻¹ (mod q) and u₂=rs⁻¹ (mod q) -   4. computes r′=γ_(A) ^(u) ₁ δ_(A) ^(u) ₂ (mod p) -   5. if r=r′, the signature is verified. At same time Alice's     (ID-bases) public key is implicitly verified.

The pair (I_(A), γ_(A)) serves as certificate of Alice. For DSA, we know that it is very hard to forge Alice's signature without knowing α. Then reconstructing the public key serves as implicitly verification when the application protocol ends up with valid. Recall that obtaining the public key needs only one exponentiation operation. For this reason, we say that verifying the implicit certificate needs one exponentiation operation.

The following implicit certificate schemes may be derived by modifying the schemes above such that CA and entity both control the entity's private key but only the subject entity knows his/her private key.

In this section we need another system parameter H(*), where H(*) is an cryptographic function which may be a secure hash function or one way function or identity map.

Scheme 2.a:

-   1. A randomly chooses an integer k and computes α^(k), then sends it     to CA. -   2. CA randomly chooses an integer c_(A), computes γ_(A)=α^(kc) _(A)     (mod p) and ƒ=F(γ_(A),I_(A), OP), solves the signing equation for     k_(A) (if k_(A)=0 or c, then chooses another c_(A))     1=cƒ+c _(A) k _(A) (mod q).     Then CA computers γ_(A) ¹=α^(r) _(A) (mod p) and sends the triple     (γ_(A) ¹,k_(A),I_(A)) to A. -   3. A computes a=k_(A)k⁻¹ (mod q). (if a=1, then goes back to step     1.) and computes γ_(A)=(γ_(A) ¹) (mod p). Then checks if γ_(A)     ^(a)=αβ^(−ƒ). Now α is A's private key, γ_(A) is A's generator and     γ_(A) ^(a) is A's public key. A publishes (α, I_(A), β, γ_(A), p, q)     in public domain. -   4. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     γ_(A) ^(a)=αβ^(−ƒ)(mod p)     Scheme 2.b: -   5. A randomly chooses an integer k and computes β^(k), then sends it     to CA. -   6. CA randomly chooses an integer c_(A), computes γ_(A)=β^(k)α^(c)     _(A) (mod p) and ƒ=F(γ_(A),I_(A), OP), solves the signing equation     for k_(A) (if k_(A)=0, c, then chooses another c_(A))     1=ck _(A) +c _(A)ƒ (mod q).     Then CA computers γ_(A) ¹=(β¹)^(c) _(A) ^(c) ⁻¹ (mod p) and sends     the triple (γ_(A) ¹,k_(A),I_(A)) to A. -   7. A computes γ_(A)=(γ_(A) ¹)^(k−1)β^(k) (mod p), ƒ=F(γ_(A),I_(A),     OP), and a=k_(A)−kƒ (mod q). (if a=0,1, then goes back to step 1.).     Then checks if β^(a)=αγ_(A) ^(−ƒ). Now a is A's private key, β is     A's generator and β^(a) is A's public key. A publishes (α, I_(A), β,     γ_(A), p, q) in public domain. -   8. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     β^(a)=αγ_(A) ^(−ƒ) (mod p)     Scheme 2.c: -   1. A randomly chooses an integer k and computes α^(k), then sends it     to CA. -   2. CA randomly chooses an integer CA, computes γ_(A)=α^(k)α^(c) _(A)     (mod p) and ƒ=F(γ_(A),I_(A), OP), computes k_(A) (if k_(A)=c, then     chooses another c_(A))     k _(A) ≡cƒ+c _(A) (mod q).     Then CA computes γ_(A) ¹=(α^(k))^(c) _(A) (mod p) and sends the     triple (γ_(A) ¹,k_(A),I_(A)) to A. -   3. A computes a=k_(A)+k (mod q). (if a=0,1, then goes back to step     1.) and computes γ_(A)=(γ_(A) ¹)^(A−1) (mod p). Then checks if an     α^(a)=β^(ƒ)γ_(A). Now α is A's private key, α is A's generator and     α^(a) is A's public key. A publishes (α, I_(A), β, γ_(A), p, q) in     public domain. -   4. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     α^(a)=β^(ƒ)γ_(A (mod) p)     Scheme 2.d: -   1. A randomly chooses an integer k and computes α^(k), then sends it     to CA. -   2. CA randomly chooses an integer c_(A), computes γ_(A)=α^(k)α^(c)     _(A) (mod p) and ƒ=F(γ_(A),I_(A), OP), computes k_(A) (if     k_(A)=c_(A), then chooses another c_(A))     k _(A) ≡c _(A) ƒ+c (mod q).     Then CA computers γ_(A) ¹=(α¹)^(c) _(A) (mod p) and sends the triple     (γ_(A) ¹,k_(A),I_(A)) to A. -   3. A computes γ_(A)=(γ_(A) ¹)^(k) ⁻¹ α^(k) (mod p), ƒ=F(γ_(A),I_(A),     OP), and α=k_(A)+kƒ (mod q). (if α=0,1, then goes back to step 1.).     Then checks if α^(a)=γ_(A) ^(ƒ)β. Now α is A's private key, α is A's     generator and α^(a) is A's public key. A publishes (α, I_(A), β,     γ_(A), p, q) in public domain. -   4. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     α^(a)=γ_(A) ^(ƒ)β(mod p)     Notes: (for scheme 2.a,2.b,2.c,2.d) -   1. The identity I_(A) may be chosen either by CA or by entity A -   2. CA should authenticate the entity A. It can be done either by     presence in front of CA or by secure channel or by voice (for     example, on the phone) or by following method: In step 2, instead of     sending the triple (γ_(A) ¹,k_(A), I_(A)) to A, CA first sends γ_(A)     ¹ to A. A computes γ_(A), set K=H(γ_(A)), encrypts the     authentication information A_(A1) of A (such as VISA information) by     DES (or other symmetric key system) and sends DES_(K)(A_(A1)) to CA.     CA decrypts the DES_(K)(A_(A1)) to get A_(A1). After checks the     validity of A_(A1), CA then sends (k_(A), I_(A)) to A. -   3. (γ_(A) ¹,k_(A),I_(A)) can be sent by public channel.     In above scheme 2.a-2.d, The implicit certificate schemes are     finished by the subject entity and the CA. Each scheme is     essentially divided into two part: key-exchange part and signature     part. One function of the key exchange part is to transmit implicit     certificate information from CA to A by public channel (more discuss     will be given in section 6). To speed up computation of above     schemes, we can modify the key exchange part. Following scheme     3.a-3.d by modifying scheme 2.a-2.d. The advantages in scheme     3.a-3.d is that user A can compute K before he get respond from the     CA since β is fixed. This property is good especially for the online     case.     Scheme 3.a: -   1. A randomly chooses an integer k and computes α^(k), then sends it     to CA. -   2. CA randomly chooses an integer CA, computes γ_(A)=α^(kc) _(A)     (mod p) and ƒ=F(γ_(A),I_(A), OP), solves the signing equation for     k_(A) (if k_(A)=0, then choose another c_(A))     1=cƒ+c _(A) k _(A) (mod q).     Next CA computers K=H((α^(k))^(c)) and {overscore     (k)}_(A)=DES_(K)(k_(A)), then sends the triple (γ_(A), {overscore     (k)}_(A), I_(A)) to A. -   3. A computes K=H(β^(k)), k_(A)=DES_(K)({overscore (k)}_(A)), and     a=k_(A)k⁻¹ (mod q). (if a=1, (then goes back to step 1.). Then     checks if γ_(A) ^(a)=αβα^(−ƒ). Now a is A's private key, γ_(A) is     A's generator and γ_(A) ^(a) is A's public key. A publishes (α,     I_(A), β, γ_(A), p, q) in public domain. -   4. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     γ_(A) ^(a)=αβ^(−ƒ) (mod p)     Scheme 3.b: -   1. A randomly chooses an integer k and computes β^(k), then sends it     to CA. -   2. CA randomly chooses an integer c_(A), computes γ_(A)β^(k)α^(c)     _(A) (mod p) and ƒ=F(γ_(A),I_(A), OP), solves the signing equation     for k_(A) (if k_(A)=0, then choose another c_(A))     1=ck _(A) +c _(A)ƒ (mod q).     Next CA computers K=H((β^(k))^(c) _(A) ^(c) ⁻¹ )=H(α^(kc) _(A) ) and     {overscore (k)}_(A)=DES_(K)(k_(A)), then sends the triple (γ_(A),     {overscore (k)}_(A), I_(A)) to A. -   3. A computes K=H((γ_(A)/β^(k))^(k))=H(α^(kc) _(A) ),     k_(A)=DES_(K)({overscore (k)}_(A)), ƒ=F(γ_(A),I_(A),OP) and computes     α=k_(A)−kƒ (mod q). (if a=0,1, then goes back to step 1). Then     checks if β^(a)=αγ_(A) ^(−ƒ). Now a is A's private key, β is A's     generator and β^(a) is A's public key. A publishes (α, I_(A), β,     γ_(A), p, q) in public domain. -   4. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     β^(a)=αγ_(A) ^(−ƒ) (mod p)     Note: (for scheme 3.b)) -   1. The identity I_(A) may be chosen either by CA or by entity A -   2. CA should authenticate the entity A. It can be done either by     presence in front of CA or by secure channel or by voice (for     example, on the phone) or by following method: In step 2, instead of     sending the triple (γ_(A), {overscore (k)}_(A), I_(A)) to A, CA     first sends γ_(A) to A. A computes K=H((γ_(A)/β^(k))^(k))=H(α^(kc)     _(A) ), encrypts the authentication information A_(A1) of A (such as     VISA information) by DES (or other symmetric key system) and sends     DES_(K)(A_(A1)) to CA. CA decrypts the DES_(K)(A_(A1)) to get     A_(A1). After checks the validity of A_(A1), CA then sends     ({overscore (k)}_(A), I_(A)) to A. -   3. (γ_(A), {overscore (k)}_(A), I_(A)) can be sent by public     channel.     Scheme 3.c: -   1. A randomly chooses an integer k and computes α^(k), then sends it     to CA. -   2. CA randomly chooses an integer CA , computes γ_(A)=α^(k)α^(c)     _(A) (mod p) and ƒ=F(γ_(A),I_(A), OP), computes k_(A) (if k_(A)=0,     then choose another c_(A))     k _(A) ≡cƒ+c _(A) (mod q).     Next CA computers K=H((α^(k))^(c)) and {overscore     (k)}_(A)=DES_(K)(k_(A)), then sends the triple (γ_(A), {overscore     (k)}_(A), I_(A)) to A. -   3. A computes K=H(β^(k)), k_(A)=DES_(K)({overscore (k)}_(A)), and     a=k_(A)+k (mod q) (if a=0,1, then goes back to step 1.) Then checks     if α^(a)=β^(ƒ)γ_(A). Now a is A's private key, α is A's generator     and α^(a) is A's public key. A publishes (α, I_(A), β, β_(A), p, q)     in public domain. -   4. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     α^(a)=β^(ƒ)γ_(A) (mod p)     Scheme 3.d: -   1. A randomly chooses an integer k and computes α^(k), then sends it     to CA. -   2. CA randomly chooses an integer c_(A), computes γ_(A)=α^(k)α^(c)     _(A) (mod p) and ƒ=F(γ_(A),I_(A), OP), computes k_(A) (if k_(A)=0,     then choose another c_(A))     k _(A) ≡c _(A) ƒ+c (mod q).     Next CA computers K=H((α^(k))^(c)) and {overscore     (k)}_(A)=DES_(K)(k_(A)), then sends the triple (γ_(A), {overscore     (k)}_(A), I_(A)to A. -   3. A computes K=H(β^(k)), k_(A)=DES_(K)({overscore (k)}_(A)),     ƒ=F(γ_(A),I_(A), OP), and a=k_(A)+kƒ (mod q). (if a=0,1, then goes     back to step 1.). Then checks if α^(a)=γ_(A) ^(ƒ)β. Now a is A's     private key, α is A's generator and α^(a) is A's public key. A     publishes (α, I_(A), β, γ_(A), p, q) in public domain. -   4. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     α^(a)=γ_(A) ^(ƒ)β(mod p)     Notes: (for scheme 3.a, 3.c, 2.d) -   1. The identity I_(A) may be chosen either by CA or by entity A -   2. CA should authenticate the entity A. It can be done either by     presence in front of CA or by secure channel or by voice (for     example, on the phone) or by following method: In step 1, A compute     α^(k) and K=H(β^(k)), then sends α^(k) and DES_(K)(A_(A1)) to CA. CA     computes K=H((α^(k))^(c)) and decrypts the DES_(K)(A_(A1)) to get     A_(A1). After check the validity of A_(A1), CA continues step 2. -   3. (γ_(A), k_(A), I_(A)) can be sent by public channel.     The advantages for scheme 3.a,3.c and 3.d are that user A can     compute K easily since β is fixed and that k_(A) is encrypted such     that no other people can know it. In fact the publicity of k_(A)     does not decrease the security of the certificate scheme. The     purpose of encrypting k_(A) is to make sure that the entity knows k.     So for scheme 3.a-3.d, the DES encryption part can be removed and     {overscore (k)}_(A) can be replaced by k_(A) provided the     certificate scheme uses the method described in Note 2.     To save transmission bandwidth in above schemes, we can modify above     schemes by sending ƒ=F(γ_(A),I_(A), OP) instead of γ_(A) (Note that     in general, the size of γ_(A) is large than 160 bits and ƒ is just     160 bits.) Following scheme 4.c is a modification of scheme 3.c.     Scheme 4.c: -   1. A randomly chooses an integer k and computes α^(k), then sends it     to CA. -   2. CA randomly chooses an integer c_(A), computes γ_(A)=α^(k)α^(c)     _(A) (mod p) and ƒ=F(γ_(A),I_(A), OP), computes k_(A) (if k_(A)=0,     then choose another c_(A))     k _(A) ≡cƒ+c _(A) (mod q).     Next CA computers K=H((α^(k))^(c)) and {overscore     (k)}_(A)=DES_(K)(k_(A)), then sends the triple (ƒ, {overscore     (k)}_(A), I_(A)) to A. -   3. A computes K=H(β^(k)), k_(A)=DES_(K)({overscore (k)}_(A)), and     a=k_(A)+k (mod q) (if a=0,1, then goes back to step 1.) Then     computes γ_(A)=α^(a) β^(−ƒ) (mod p) and checks if ƒ=F(γ_(A),I_(A),     OP). Now a is A's private key, α is A's generator and α^(a) is A's     public key. A publishes (α, I_(A), β, γ_(A), p, q) in public domain. -   4. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     α^(a)=β^(ƒ)γ_(A) (mod p)     Furthermore we can reduce the bandwidth by following scheme 5.c.     Scheme 5.c: -   1. A randomly chooses an integer k and computes α^(k), then sends it     to CA. -   2. CA randomly chooses an integer c_(A), computes γ_(A)=α^(k)α^(c)     _(A) (mod p) and set {circumflex over (γ)}_(A) as the first 80 least     significant bits of γ_(A). Then computes ƒ=F({circumflex over     (γ)}_(A),I_(A),OP) and k_(A) (if k_(A)=0, then choose another c_(A))     k _(A) ≡cƒ+c _(A) (mod q).     Next CA computers K=(α^(k))^(c) (mod p) and {overscore (k)}_(A)     =DES_(K)(k_(A)), then sends the triple ({circumflex over (γ)}_(A),     {circumflex over (k)}_(A), I_(A)) to A.     Note: ({circumflex over (γ)}_(A), {overscore (k)}_(A), I_(A)) can be     sent by public channel. -   3. A computes K=β^(k) (mod p), k_(A)=DES_(K)({overscore (k)}_(A)),     and a=k_(A)+k (mod q) (if a=0,1, then goes back to step 1.) Then     computes ƒ=({circumflex over (γ)}_(A),β,I_(A)), γ_(A)=α^(a)β^(−ƒ)     (mod p) and checks if the first 80 least significant bits of γ_(A)     is {circumflex over (γ)}_(A). Now a is A's private key, α is A's     generator and α^(a) is A's public key. A publishes (α, I_(A), β,     γ_(A), p, q) in public domain. -   4. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     α^(a)=β^(ƒ)γ_(A) (mod p)     The security level of scheme 5.c, is not as other schemes we discuss     before. Scheme 5.c only has 80 bit security. But it is OK for     practical application Now. We can extend the first 80 least     significant bits to the half least significant bits of γ_(A).     The implicit certificate can be used to certify some other useful     information by including the information in the option parameter OP.     For example OP=α^(a) _(ε) ∥OP₂, where a_(ε) is user A's another     private key and α^(a) _(ε) is the corresponding public key.     Following scheme 6.c is a modification of scheme 2.c. Other schemes     can be modified in the same way.     Scheme 6.c: -   1. A randomly chooses an integer α_(ε) and computes α^(a) _(ε) . -   2. A randomly chooses an integer k and computes α^(k), then sends     α^(k) and α^(a) _(ε) to CA. -   3. CA randomly chooses an integer c_(A), computes γ_(A)=α^(k)α^(c)     _(A) (mod p) and ƒ=F(γ_(A), I_(A), α^(a) _(ε) , OP₂) (for example,     F(γ_(A),I_(A), α^(a) _(ε) ,OP₂)=h(γ_(A)∥I_(A)∥α^(a) _(ε) )),     computes k_(A) (if k_(A)=0, then choose another c_(A))     k _(A) ≡cƒ+c _(A) (mod q).     Then CA computers γ_(A) ¹=(α^(k))^(c) _(A) (mod p) and sends the     triple (γ_(A) ¹,k_(A),I_(A)) to A. -   4 A computes a=k_(A)+k (mod q). (if a=0,1, then goes back to step     1.) and computes γ_(A)=(γ_(A) ¹)^(k) ⁻¹ α^(k) (mod p). Then checks     if α^(a)=β^(ƒ)γ_(A). Now a is A's private signing key, α is A's     generator and α^(a) is A's public signing key. α_(ε) is A's private     encryption key and α^(a) _(ε) is A's public encryption key. A     publishes (α, α^(a) _(ε) , I_(A), β, γ_(A), p, q) in public domain. -   5. Anyone can obtain A's (ID-based) implicitly certified public key     from the public domain by computing     α^(a)=β^(ƒ)γ_(A) (mod p).     Notes: (for scheme 4.c, 5.c, 6.c) -   1. The identity I_(A) may be chosen either by CA or by entity A -   2. CA should authenticate the entity A. It can be done by the method     described in the note 2 of scheme 3.c. (ƒ, {overscore (k)}_(A),     I_(A)) or ({circumflex over (γ)}_(A), {overscore (k)}_(A), I_(A)) or     (γ_(A) ¹,k_(A),I_(A)) can be sent by public channel.     CA chaining Scheme     In order to implement a CA chaining structure. That is CA1     authenticates CA2, CA2 authenticates CA3 and CA3 authenticates     user A. In this section, we are going to present the example with 3     CA's in the CA chain. We use basic scheme 3′ to demonstrate this     example.     System Setup:

The highest trusted party CA1 selects an appropriate prime p with p=tq+1 where q is a large prime and a generator α of order q. CA1 selects a random integer c₁, with 1≦c₁≦q−1 as its private key, then computes the public key β₁α^(c) ₁ mod p and publishes (β₁, α, p, q).

Phase 1. CA2 applies for Implicit Certified Public Key from CA1.

-   1. CA2 randomly chooses an integer k₂ and computes α^(k) ₁ , then     sends it to CA1. -   2. CA1 choose a unique distinguished name or identity I_(CA2) and a     random integer c_(CA2) with 1≦c_(CA2)≦q−1. Then CA1 computes     γ_(CA2)=α^(k) ₂ α^(r) _(CN) (mod p). (β_(CA2) is CA2's public key     reconstruction public data.) -   3. CA1 chooses a function ƒ₁=F(γ_(CA2),I_(CA2)) and computes k_(CA2)     (if k_(CA2)=0, then chooses another c_(CA2) in step 2 and     re-computes for k_(CA2)).     k _(CA2) ≡c ₁ƒ₁ +c _(CA2) (mod q) -   4. CA1 computes γ_(CA2) ¹=(α^(k) ₂ )^(c) _(CA1) (mod p) and sends     the triple (γ¹ _(CA2),k_(CA2),I_(CA2)) to CA2. -   5. CA2 computes γ_(CA2)=(γ¹ _(CA2))^(k) ₂ ⁻¹α^(k) ₂ (mod p). Then     c₂=k_(CA2)k₂ (mod q) is CA2's private key, α is CA2's generator and     β₂=α^(r) ₁ is CA2's public key. CA2 publishes (α, I_(CA2), β₁, β₂,     γ_(CA2), p, q) in public domain.     Note: when a user trusts CA2, be/she can use β₂ directly. -   6. Anyone can obtain CA2's (ID-based) implicitly verified public key     from the public domain by computing     β₂=α^(r) ₁ =β₁ ^(h)γ_(CA2) (mod p)     Phase 2. CA3 Applies for Implicit Certified Public Key from CA2. -   1. CA3 randomly choose an integer k₃ and computes α^(k) ₃ , then     sends it to CA2. -   2. CA2 choose a unique distinguished name or identity I_(CA3) and a     random integer c_(CA3) with 1≦c_(CA3)≦q−1. Then CA2 computes     γ_(CA3)=α^(k) ₃ α^(c) _(CA3) (mod p). (γ_(CA3) is CA3's public key     reconstruction public data.) -   3. CA2 chooses a function ƒ₂=F(γ_(Ac3),I_(CA3)) and computes k_(CA3)     (if k_(CA3)=0, then chooses another c_(CA3) in step 2 and     re-computes for k_(CA3)).     k _(CA3) ≡c ₃ƒ₂ +c _(CA3) (mod q) -   4. CA2 computes γ_(CA3) ¹=(α^(A) ₃ )^(c) _(CA3) (mod p) and sends     the triple (γ_(CA3) ¹,k_(CA3),I_(CA3)) to CA3. -   5. CA3 computes γ_(CA3)=(γ_(CA3) ¹)^(k) ₃ ⁻¹α^(k) ₃ (mod p). Then     c₃=k_(CA3)+k₃ (mod q) is CA3's private key, α is CA3's generator and     β₃=α^(c) ₃ is CA3's public key. CA3 publishes (α, I_(CA3), β₂,     β₃γ_(CA3), p, q) in public domain.     Note: when an entity trusts CA3, it can use β₃ directly. -   6. Anyone can obtain CA3's (ID-based) implicitly verified public key     from the public domain by computing     β₃=α^(c) ₃ =β₂ ^(ƒ3)γ_(CA3) (mod p)     Phase 3. User A Applies for Implicit Certified Public Key From CA3. -   1. A randomly choose an integer k and computes α^(k), then sends it     to CA3. -   2. CA3 choose a unique distinguished name or identity I_(A) and a     random integer c_(A) with 1≦c_(A)≦q−1. Then CA3 computes     γ_(A)=α^(k)α^(c) _(A) (mod p). (γ_(A) is A's public key     reconstruction public data.) -   3. CA3 choose a careful chosen function ƒ₃=F(γ_(A), I_(A)) and     computes k_(A) (if k_(A)=0, then choose another c_(A) in step 2 and     re-computes for k_(A)).     k _(A) ≡c ₃ƒ₃ +c _(A) (mod q) -   4. CA3 computes γ_(A) ¹=(α^(k))^(c) _(A) (mod p) and sends the     triple (γ_(A) ¹,k_(A),I_(A)) to A. -   5. A computes γ_(A)=(γ_(A) ¹)^(k−1)α^(k) (mod p). Then a=k_(A)+k     (mod q) is A's private key, α is A's generator and β_(A)=α^(a) is     A's public key. A publishes (α, I_(A), β₃, β_(A), γ_(A), p, q) in     public domain.

Note: when a user trusts A, he/she can use β_(A) directly.

-   6. Anyone can obtain A's (ID-based) implicitly verified public key     from the public domain by computing     β_(A)=α^(a)=β₃ ^(ƒ) ₃ γ_(A) (mod p)     Phase 4. User A's signature and verification.     To sign a message M, user A does following: -   1. randomly choose x, computes r=α^(x) (mod p). -   2. computes e=ƒ_(A)=F(r,M), where F is some fixed function. -   3. computes s=ae+x (mod q) -   4. The signature on M is (r,s).     Verifier Does Following: -   1. gets CA1, CA2, CA3 and User A's public data     (α,I_(CA2),I_(CA3) I_(A),β₁,β₂,β₃,β_(A), γ_(CA2), γ_(CA3), γ_(A), p,     q) -   2. reconstructs user A's public key     β_(A)=β^(ƒ1ƒ2ƒ3)γ_(CA) ^(ƒ2ƒ3) _(CA)/_(CA) ^(ƒ3)γ_(A) (mod p) -   3. computes e=ƒ_(A)=F(r,M). -   4. computes r′=α¹β_(A) ^(−ε) (mod p) -   5. if r=r: the signature is verified. At same time C42, CA3 and user     A's (ID-bases) public key are implicitly verified.     Reconstructing user A's public key needs only 3 known basis     exponentiation operations and 3 multiplication operations. When the     signature is valid, CA2, CA3 and user A's (ID-bases) public key are     implicitly verified.     Notes: -   1. If verifier trusts A, Then A's public key is β_(A). -   2. If verifier trusts CA3, Then A's reconstruction public key is     β_(A)=βƒ³γ_(A) (mod p) -   3. If verifier trusts CA2, Then A's reconstruction public key is     β_(A)=β₂ ^(ƒ:ƒ) ₂ γ_(CA3) ^(ƒ) ₁ γ_(A) (mod p)     Co-Signing Scheme.     The following describes a scheme that allows multiple CA's to sign     ONE implicit certificate. This is illustrated by the case where     three CA's co-sign a certificate using the basic scheme 3′.     System Setup:

Let CA1, CA2 and CA3 have a common system parameters; (1) prime p with p=tq+1 where q is a large prime; (2) a generator α of order q; (3) a careful chosen function

ƒ=F(γ,(I_(A1)+I_(A2)+I_(A3))) CA1 selects a random integer c₁, with 1≦c₁≦q−1 as its private key, then computes the public key β₁=α^(c) ₁ mod p and publishes (β₁, α, p, q). CA2 selects a random integer c₂, with 1≦c₂≦q−1 as its private key, then computes the public key β₂=α^(c) ₁ mod p and publishes (β₃, α, p, q). CA3 selects a random integer c₃, with 1≦c₃≦q−1 as its private key, then computes the public key β₃=α^(c) ₃ mod p and publishes (β₃, α, p, q).

Step 1. A randomly chooses an integer k and computes α^(k), then sends it to CA1, CA2 and CA3.

Step 2. CA's exchange information and compute implicit certificates

Phase 1.

-   1. CA1 chooses a unique distinguished name or identity I_(A1) and a     random integer c_(A1) with 1≦c_(A1)≦q−1, computes α^(c) _(A) and     send (α^(c) _(A) , I_(A1)to CA2, and CA3. -   2. CA2 choose a unique distinguished name or identity I_(A2) and a     random integer c_(A2) with 1≦c_(A1)≦q−1, computes (α^(c) _(A) ,     I_(A2)) and send a^(c) _(A) to CA1 and CA3. -   3. CA3 choose a unique distinguished name or identity I_(A3) and a     random integer c_(A3) with 1≦c_(A3)≦q−1, computes (α^(c) _(A) ,     I_(A3)) and send α^(c) _(A) to CA1 and CA2.     Phase 2. -   1. CA1 computes γ=α^(k)α^(c) _(A) α^(c) _(A1) α^(c) _(CA1) (mod p).     (γis A's public key reconstruction public data.), computes     ƒ=F(γ,(I_(A1)+I_(A2)+I_(A3))) and computes k_(A1) (if k_(A1)=0, then     goes back to phase 1.)     k _(A1) ≡c ₁ ƒ+c _(A1) (mod q)     CA1 computes γ_(A1) ¹=(α^(k))^(c) _(A1) (mod p) and sends the triple     (γ_(A1) ¹,k_(A1),I_(A1)) to A. -   2. CA2 computes γ=α¹α^(c) _(A1) α^(c) _(A1) α^(c) _(CA1) (mod p). (γ     is A's public key reconstruction public data.), computes     ƒ=F(γ,(I_(A1)+I_(A2)+I_(A3))) and computes k_(A2) (if k_(A2)=0, then     goes back to phase 1.)     k _(A2) ≡c ₂ ƒ+c _(A2) (mod q)     CA2 computes γ_(A2) ¹=(α^(k))^(c) _(A1) (mod p) and sends the triple     (γ_(A2) ¹,k_(A2),I_(A2)) to A. -   3. CA3 computes γ=α^(k)α^(c) _(A1) α^(c) _(A1) α^(c) _(CA1) (mod p).     (γ is A's public key reconstruction public data.), computes     ƒ=F(γ,(I_(A1)+I_(A2)+I_(A3))) and computes k_(A3) (if k_(A3)=0, then     goes back to phase 1.)     k _(A3) ≡c ₁ ƒ+c _(A3) (mod q)     CA3 computes γ_(A3) ¹=(α^(k))^(c) _(A3) (mod p) and sends the triple     (γ_(A3) ¹,k_(A3),I_(A3)) to A.     Step 3 A Computes Implicitly Co-Certified Private Keys and Public     Key Reconstruction Information. -   1. A computes a=k_(A1)+k_(A2)+k_(A3)+k (mod q). (If a is 0 or 1,     then goes back to step 1.) -   2. A computes γ=(γ_(A1) ¹γ_(A2) ¹γ_(A3) ¹)^(k) ⁻¹ α^(k) (mod p),     ƒ=F(γ,(I_(A1)+I_(A2)+I_(A3))). Then verifies if     α^(a)=(β₁β₂β₃)^(ƒ) γ(mod p). -   3. Then a is A's implicitly co-certified private key, α is A's     generator, I_(A)=I_(A1)+I_(A2)+I_(A3) is A's common ID and     (β₁β₂β₃)^(ƒ) γ is A's implicitly co-certified public key. -   4. A publishes (α, I_(A1), I_(A2), I_(A3), β₁, β₂, β₃, γ, p, q) in     public domain. -   5. Anyone can obtain A's (ID-based) implicitly co-certified public     key from the public domain by computing (β₁β₂β₃)^(ƒ) γ (mod p)     Applications

The following examples are illustrated with respect to scheme 3 (or Scheme 7′) as CA's signing equation since everyone shares the same generator in this scheme. Each user can have a different CA as long as the CAs use the system parameters (p,q,d) and each user has the same generation.

Setup:

CA1: System Parameters (α,β₁, p,q,d)

Alice has a private key a, generator α and publishes (α, I_(A), β, γ_(A), p, q) in the public domain.

CA2: System Parameters (α, β₂, p,q)

Bob has a private key b, a generator α and publishes (α, I_(A), β, γ_(A), p, q) in the public domain.

We use the MTI/C0 key agreement protocol to demonstrate how to use our new scheme. Assume Alice and Bob want to perform a key exchange.

The MTI/C0 Protocol

-   1. Alice reconstructs Bob's public key α^(b)=β^(F(γ) _(B.) ¹ _(B)     ⁾γ_(B), and randomly chooses an integer x and computes (α^(b))^(x),     then sends it to Bob. -   2. Bob reconstructs Alice's public key α^(a)=β^(F(γ) _(A,) ¹ _(A)     ⁾γ_(A), and randomly chooses an integer y and computes (α^(a))^(y),     then sends it to Alice. -   3. Alice computes the shared key K_(A)=(α^(ay))^(xa) ⁻¹ =α^(xy) -   4. Bob computes the shared key K_(B)=(α^(bx))^(yb) ⁻¹ =α^(xy)

This is a two-pass protocol. With the implicit certificate scheme of the present invention, each party only does three exponentiation operations to get the shared key while at the same time performing an authentication key agreement and implicit public key verification.

The following are examples of signcryption schemes. We use scheme 3 (or scheme 7) as CA's signing equation since everyone shares the same generator in this scheme. For the scheme thereafter, we use scheme 13 as CA's signing equation. For all schemes in this section, each user can have a different CA as long as the CA's use the same system parameters (p,q,α) and each user has the same generator.

Setup:

CA1: System Parameters (α, β₁, p, q)

Alice: private key α, generator α and (α, I_(A), β₁, γ_(A), p, q) in public domain.

CA2: System Parameters (α, β₂, p, q)

Bob: private key b, generator α and (α, I_(B), β₂, γ_(B), p, q) in public domain

Bob wants to send a signed and encrypted message M to Alice:

Signcryption Protocol 1:

Assume Bob wants to send a signed and encrypted message M to Alice:

Bob does following:

-   1. reconstructs Alice's public key α^(a)=β^(F(Y) _(A,) ^(I) _(A)     ⁾γ_(A) mod p -   2. randomly chooses an integer x and computes a key r=(α^(a))^(x)     (mod p) -   3. computes C=DES_(r)(M) -   4. computes e=hash(C I_(A)) -   5. computes s=be+x(mod q) -   6. sends the pair (C,s) to Alice, thus C is the encrypted message     and s is the signature.

To recover the message Alice does following:

-   1. computes e=hash(C I_(A)) -   2. reconstructs Bob's public key α^(b)=β^(F(y) _(B,) ^(I) _(B)     ⁾γ_(B) mod p -   3. computes α^(as)(α^(b))^(−ac) (mod p) which is r -   4. decrypts the message M=DES_(r)(C) -   5. check for redundancy     Thus, Bob only does two exponentiation operations and Alice does     three exponentiation operations. But Alice and Bob are both     confident of each others authentication. Note that for this scheme,     the message M must have some redundancy or pattern.     Signcryption Protocol 2 (General Case):     Setup:     CA1: System Parameters (α, β₁, p,q)

Alice: private key a, generator α and (α, I_(A), β₁, γ_(A), p, q) in public domain.

CA2: System Parameters (α, β₂, p, q)

Bob : private key b , generator α and (α, I_(B), β₂, γ_(B), p, q) in public domain

Note: this set up is for implicit certificate. For usual certificate scheme systems, we only required that Alice and Bob has same generator.

To signcrypt a message to Alice, Bob does following:

-   1. gets Alice's public key α^(a) (in the case of implicit     certificate scheme, reconstructs Alice's public key α^(a)=β₁ ^(F(γ)     _(A,) ^(β) _(2,) ^(I) _(A) ⁾γ_(A) (mod p)) -   2. random choose an integer x and computes r=(α^(a))^(r) (mod p) -   3. computes C=DES_(r)(M) -   4. computes e=hash(C∥α^(ƒ1)) -   5. computes s=be+x (mod q) -   6. sends (C,s) to Alice. C is the encrypted message and s is the     signature.     To recover the message Alice does following: -   1. computes e=hash(C∥α^(ƒ1)) -   2. gets Bob's public key a⁶ (in the case of implicit certificate     scheme, reconstructs Bob's public key a^(b)=β₂ ^(F(γ) _(B,) ^(β)     _(1.) ^(I) _(a) ⁾γ_(B) (mod p)) -   3. computes α^(a1)(α^(b))^(−ae) (mod p) which is r -   4. decrypts the message AM=DES_(r)(C)     Note: -   1. If the certificate scheme is not the implicit certificate as     described herein, Alice and Bob)'s public key should be verified. -   2. The message M must have some redundancy or pattern. -   3. Anyone who knows one value r can decrypt any messages from Bob to     Alice since the value α^(rb) will be exposed. -   4. In general, we should include an option parameter to the hash e,     i.e. e=hash(C∥α^(ƒ1)∥OP). For example, OP=α^(b) or OP=α^(b)∥β₁∥β₂.     The signcryption schemes above have a drawback that if the signer     lost his/her private signing key, then all message the signer     signcrypted will be exposed to public. To protect post encryption we     propose a new signcryption scheme. In new scheme, each user has two     pairs of key, one pair is for signature key, another pair is     encryption key. The new scheme can be used with any certificate     scheme. But if it is used with our implicit certificate scheme, it     is more efficient.     Signcryption Protocol 3 (General Case):     Setup:

Alice: private signing key a and private encryption key α_(E), generator α and (α, α^(a) _(ε) , I_(A), β₁, γ_(A), p, q) in public domain.

CA2: System Parameters (α, β₂, p, q)

Bob: private signing key b and private encryption key b_(E), generator α and (α, a^(b) _(E) , I_(B), β₂, γ_(B), p, q) in public domain

Note: this set up is for implicit certificate using scheme 6.c. For usual certificate scheme systems, we only required that Alice and Bob has same generator.

To signcrypt a message to Alice, Bob does following:

-   1 gets Alice's public signing key α^(n) and public encryption key     α^(α) _(ε) (in the case of implicit certificate scheme, reconstructs     Alice's public signing key     α^(a)=β₁ ^(F(r) _(A) ^(,β) ₁ ^(,I) _(A) ^(,αa) _(ε) ⁾γ_(A)(mod p)) -   2 random choose an integer x and computes r=(α^(a)α^(α) _(ε) )^(x)     (mode p) -   3 computes C=DES_(r)(M) -   4 computes c=hash(C∥α^(n)∥α^(a) _(ε) ∥α^(b)∥α^(b) _(ε) ∥OP.) -   5 computes s=be+x+b_(E) (mod q) -   6 sends (C,s) to Alice. C is the encrypted message and s is the     signature.     To recover the message Alice does following: -   1. computes e=hash (C∥α^(n)∥α^(a) _(ε) ∥α^(b)∥α^(b) _(c) ∥OP) -   2. gets Bob's public signing key α^(b) and public encryption key     α^(b) _(ε) (in the case of implicit certificate scheme, reconstructs     Bob's public sign key α^(b)=β₂ ^(F(r) _(B) ^(,β) ₂ ^(,I) _(B) ^(,α)     _(1ε) ⁾γ_(B) (mod p)) -   3. computes α^((a+a) ₂ ⁾¹(α^(b))^(−(a+a) ₂ ^()c) α^(−(a+a) ₂ ^()b) ₂     (mod p) which is r -   4. decrypts the message M=DES_(r)(C)     Note: -   1. we can think the receiver Alice's private key is α+α_(E), This     means the receiver only needs one private key instead of two private     keys. But the sender Bob needs two private keys. In case of normal     certificate, the receiver only need one private key. -   2. If the certificate scheme is not the implicit certificate     described in this application, Alice and Bob's public key should be     verified. -   3. The message M must have some redundant or pattern. -   4. The parameter OP inside hash e=hash(C∥α^(n)∥^(α) ^(α) _(ε)     ∥α^(b)∥α^(b) _(E) ∥OP) may be empty or OP=β₁∥β₂. -   5. Knowing one r value does not reveal any information of the post     messages. -   6. With implicit certificate scheme, Bob only does 2 exponentiation     operations and Alice does 4 exponentiation operations. But Alice and     Bob both are confidential that each other is authentication part. -   7. If anyone knows Alice's private key α+α_(E), or Bob lost both     private keys, the post encrypted message can not be protected.     For normal signatures, one problem is that the signer denies he/she     signs the signature. This called repudiation. Protocol 1 and 2 above     have a non-repudiation feature provided one trusts the judge. That     is the signer can not deny that he/she signed the signcrypted     message. Protocol 3 has a non-repudiation feature even when the     judge is not trusted. Next protocol demonstrates how a judge decides     a case where Bob wants to deny the signature.     Non-Repudiatin Protocol: -   1. Alice sends (C,s) to Judge -   2. Judge computes e=hash(C∥α^(n)∥α^(α) _(E) ∥α^(b)∥α^(b) _(E) ∥OP)     and α¹=α¹(α^(b))^(−e) α^(−b) _(ε) (Note: Alice and Bob's two pairs     of public key should be verified. In the case of implicit     certificate scheme, the public keys should be computed from the     reconstruction public data.) -   3. Judge randomly chooses two integer r₁ and r₂ and computes     L=(α^(π))^(r) ₁ α² ₂ and sends L to Alice -   4. Alice computes L^(α+α) _(ε) and sends it back to Judge -   5. Judge computes r=(L^((α+α) _(ε) ⁾(α^(a)α^(a) _(ε) )^(−r) ₁ )^(r)     ₁ ⁻¹ and recover the message by M=DES_(r)(C) -   6. If M has proper format, the (C,s) must be signcrypted by Bob. -   7. After the judge make decision, he sends the values (α^(x), r₁,     r₂, L, L^(a+α) _(ε) ,) to Alice and Bob to back tip his decision.     For the other two signcryption protocols the non-repudiation     protocols are similar provided one fully trust the judge.

In conclusion it may be seen that the present scheme, when combined with an application protocol for which the user's private key must be used directly in computation, provides an implicitly certified ID-based public key of the user. These schemes can also be used for a Key Authentication Center (KAC) to distribute implicitly certified public keys to users.

A further application of implicitly certified public keys is that the bit strength of the certifying authority is the same as the user or entity public keys being certified. By bit strength it is implied the relative key sizes and processing power of the entities concerned.

One approach to addressing this issue is to embed implicitly certified public keys into more traditional certificate structures such as specified in X.509 certificates, where the signature on the certificate is at a higher bit strength than the implicitly certified public key. Hence, the CA has certified the user public key at two different security levels. Any other entity retrieving a public key can decide on which security level they wish to accept. In some applications it may be that only the lower level provided by the implicit value is necessary to provide the performance required.

While the invention has been described in connection with specific embodiments thereof and in specific uses, various modifications thereof will occur to those skilled in the art without departing from the spirit of the invention as set forth in the appended claims. For example in the above description of preferred embodiments, use is made of multiplicative notation, however the method of the subject invention may be equally well described utilizing additive notation. It is well known for example that elliptic curve algorithm embodied in the ECDSA is equivalent of the DSA and that the elliptic curve analog of a discrete log logarithm algorithm that is usually described in a setting of, F_(p) ^(a) the multiplicative group of the integers modulo a prime. There is a correspondence between the elements and operations of the group F_(p) ^(a) and the elliptic curve group E(F_(q)). Furthermore, this signature technique is equally well applicable to functions performed in a field defined over F_(p) and F_(2″). It is also to be noted that the DSA signature scheme described above is a specific instance of the ElGamal generalized signature scheme which is known in the art and thus the present techniques are applicable thereto. 

1-3. (canceled)
 4. A certificate generated by a trusted entity CA to permit generation of a public key of a subscriber A in a secure digital communication system; said certificate comprising a unique identity I_(A) distinguishing said entity A, and a public key reconstruction public data γ_(A), of said entity A generated by mathematically combining public values obtained from respective private values of said trusted party CA and said entity A; said public key being generated from public information and information in said certificate; said public key corresponding to a private key generated by said entity A from a value k_(A), the private value of said entity A, and certificate information; said value k_(A) being generated by the trusted party CA by binding entity information ƒ with private values of said CA, said information ƒ being derived by combining information in said certificate information in accordance with a mathematical function.
 5. A certificate according to claim 4, wherein said mathematical function is a secure hash function.
 6. A certificate according to claim 4, wherein said private value of said entity A is made available at said entity A and the corresponding public value obtained therefrom is made available at said trusted party CA.
 7. A certificate according to claim 4, wherein the mathematical combination of said public values obtained from respective private values of said trusted party CA and said entity A is a multiplication.
 8. A certificate according to claim 4, wherein private values of said trusted party CA include a private key and an integer.
 9. A certificate according to claim 8, wherein one of the public values obtained from respective private values of said trusted party CA and said entity A, corresponds to said private key of said trusted party CA.
 10. A certificate according to claim 8, wherein said value k_(A) is computed by multiplying said entity information ƒ by said integer and adding said private key of said trusted party CA thereto.
 11. A certificate according to claim 9, wherein said value k_(A) is computed by multiplying said entity information ƒ by said integer and adding said private key of said trusted party CA thereto. 